API tools faq
paste
Advertisement
BaSs_HaXoR

Project Memories & Reborn PwN3D

BaSs_HaXoR
Mar 7th, 2015
867
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.85 KB | None | 0 0
raw download clone embed print report
  1. MW3ProjectMemoriesV3 & MW2RebornV3 By Enstone:
  2. ######################################################
  3. MW3Memories:
  4. Antidump - DBA0A0
  5. CISC VM pointer - 00DBE7A4
  6. TM_WL_2: 00DBC87C
  7. ######################################################
  8. MW2RebornV3:
  9. Antidump - DCA0A0
  10. CISC_VMware - 00DCE505
  11. ######################################################
  12. //PwN3D By BaSs_HaXoR
  13.  
  14. Log data
  15. Address Message
  16. 02D40118 Breakpoint at 02D40118
  17.  
  18. -------------- File Info -------------
  19.  
  20. FIRST_PATH:
  21. C:\Users\BaSs_HaXoR\Desktop\FMT Tools Ready for Cracking\MW2RebornV3.exe
  22.  
  23. MAIN_PATH:
  24. C:\Users\BaSs_HaXoR\Desktop\FMT Tools Ready for Cracking\MW2RebornV3.exe
  25.  
  26. FIRST_FILE_NAME:
  27. MW2RebornV3.exe
  28.  
  29. FIRST_FILE_END:
  30. exe
  31.  
  32. FIRST_NAME:
  33. MW2RebornV3
  34.  
  35. ----------******************----------
  36.  
  37. Found 0 dec & 0 hex Active Processes!
  38.  
  39. ----------******************----------
  40.  
  41.  
  42. ----------- TLS MAIN INFOS -----------
  43.  
  44. TLS TABLE RVA: B88D44 & SIZE: 18
  45.  
  46. TLS TABLE VA: F88D44 & SIZE: 18
  47.  
  48. DATABLOCKSTART VA: D7F019
  49. DATABLOCKEND VA: D7F01C
  50. INDEXVARIABLE VA: D72CFC
  51. CALLBACKTABLE VA: D7E020
  52.  
  53. NO CALLBACK INSIDE PRESENT
  54.  
  55. ----------******************----------
  56.  
  57. PLUGINPATH: C:\Users\BaSs_HaXoR\Desktop\Deobfuscation\OllyDebugger shit\OllyDebugger
  58.  
  59. ------------ Plugin List -------------
  60.  
  61. No: PLUGIN-NAME
  62.  
  63.  
  64. ----------******************----------
  65. VM antidump redirector is used.
  66. Version retriever is not used.
  67. Oreans kernel32, user32 and advapi32 dll's are disabled.
  68. -------------
  69. Modulebase: 00400000
  70. Code & IAT Section: 00401000
  71.  
  72. Found new Anti-Dump store location at address: DCA0A0
  73.  
  74. 00FD3020 Breakpoint at MW2Rebor.00FD3020
  75. 00FD3005 Breakpoint at MW2Rebor.00FD3005
  76. 6EAF0000 Module C:\WINDOWS\SYSTEM32\ntmarta.dll
  77. 74800000 Module C:\WINDOWS\SYSTEM32\winmm.dll
  78. 741E0000 Module C:\WINDOWS\SYSTEM32\WINMMBASE.dll
  79. 75830000 Module C:\WINDOWS\SYSTEM32\cfgmgr32.dll
  80. 77038B90 Hardware breakpoint 1 at KERNEL32.VirtualAlloc
  81. ----------------------------
  82. VMware check pointer was found and patched at: 00DCE505
  83. ----------------------------
  84. CISC VM is located in the Themida - Winlicense section.
  85. ----------------------------
  86. VMware check pointer was found and patched at: 00DCE505
  87. ----------------------------
  88. TM_WL_2: 00DCCACA
  89.  
  90.  
  91.  
  92.  
  93.  
  94.  
  95.  
  96. #################### MW2 Reborn ####################
  97.  
  98.  
  99. ---------------EX--------------------------------------
  100. Call from: DCF085 | API: 77038B90 | NAME: VirtualAlloc
  101. -------------------------------------------------------
  102. ---------------EX--------------------------------------
  103. Call from: E0CF92 | API: 77038F80 | NAME: LoadLibraryA
  104. -------------------------------------------------------
  105. ---------------EX--------------------------------------
  106. Call from: E0CFB0 | API: 77038F80 | NAME: LoadLibraryA
  107. -------------------------------------------------------
  108. ---------------EX--------------------------------------
  109. Call from: E0CFC4 | API: 7703A940 | NAME: GetLocalTime
  110. -------------------------------------------------------
  111. ---------------EX--------------------------------------
  112. Call from: E0EA3B | API: 758E75A0 | NAME: MessageBoxExA
  113. -------------------------------------------------------
  114. ---------------EX--------------------------------------
  115. Call from: E0F2ED | API: 77048920 | NAME: CreateFileA
  116. -------------------------------------------------------
  117. ---------------EX--------------------------------------
  118. Call from: E10CDA | API: 75A3C620 | NAME: RegCreateKeyA
  119. -------------------------------------------------------
  120. ---------------EX--------------------------------------
  121. Call from: E10CF9 | API: 75A2E120 | NAME: RegFlushKey
  122. -------------------------------------------------------
  123. ---------------EX--------------------------------------
  124. Call from: E10D18 | API: 75A26FB0 | NAME: RegSetValueExA
  125. -------------------------------------------------------
  126. ---------------EX--------------------------------------
  127. Call from: E10D37 | API: 75A19330 | NAME: RegCloseKey
  128. -------------------------------------------------------
  129. ---------------EX--------------------------------------
  130. Call from: E10D56 | API: 75A194B0 | NAME: RegQueryValueExA
  131. -------------------------------------------------------
  132. ---------------EX--------------------------------------
  133. Call from: E11155 | API: 7703B5A0 | NAME: GetCommandLineA
  134. -------------------------------------------------------
  135. ---------------EX--------------------------------------
  136. Call from: E19CFB | API: 77048880 | NAME: SetEvent
  137. -------------------------------------------------------
  138. ---------------EX--------------------------------------
  139. Call from: E19D19 | API: 770488C0 | NAME: WaitForSingleObject
  140. -------------------------------------------------------
  141. ---------------EX--------------------------------------
  142. Call from: E19D37 | API: 77048740 | NAME: CreateEventA
  143. -------------------------------------------------------
  144. ---------------EX--------------------------------------
  145. Call from: E19D55 | API: 77038F80 | NAME: LoadLibraryA
  146. -------------------------------------------------------
  147. ---------------EX--------------------------------------
  148. Call from: E19D73 | API: 7703A790 | NAME: FreeLibrary
  149. -------------------------------------------------------
  150. ---------------EX--------------------------------------
  151. Call from: E19D91 | API: 77037B50 | NAME: GetProcAddress
  152. -------------------------------------------------------
  153. ---------------EX--------------------------------------
  154. Call from: E19DAF | API: 7703B2E0 | NAME: GetEnvironmentVariableA
  155. -------------------------------------------------------
  156. ---------------EX--------------------------------------
  157. Call from: E19DCD | API: 7589C850 | NAME: wsprintfA
  158. -------------------------------------------------------
  159. ---------------EX--------------------------------------
  160. Call from: E19DEB | API: 7703B5B0 | NAME: GetVersion
  161. -------------------------------------------------------
  162. ---------------EX--------------------------------------
  163. Call from: E19E09 | API: 77048920 | NAME: CreateFileA
  164. -------------------------------------------------------
  165. ---------------EX--------------------------------------
  166. Call from: E19E27 | API: 77049850 | NAME: ExitProcess
  167. -------------------------------------------------------
  168. ---------------EX--------------------------------------
  169. Call from: E19E45 | API: 77038A50 | NAME: DeviceIoControl
  170. -------------------------------------------------------
  171. ---------------EX--------------------------------------
  172. Call from: E19E5C | API: 75A26BB0 | NAME: RegOpenKeyA
  173. -------------------------------------------------------
  174. ---------------EX--------------------------------------
  175. Call from: E19E7A | API: 770486F0 | NAME: CloseHandle
  176. -------------------------------------------------------
  177. ---------------EX--------------------------------------
  178. Call from: E19E98 | API: 77038F20 | NAME: VirtualFree
  179. -------------------------------------------------------
  180. ---------------EX--------------------------------------
  181. Call from: E19EB6 | API: 770382D0 | NAME: Sleep
  182. -------------------------------------------------------
  183. ---------------EX--------------------------------------
  184. Call from: E1806D | API: 77038B10 | NAME: GetVersionExA
  185. -------------------------------------------------------
  186. ---------------EX--------------------------------------
  187. Call from: E18A06 | API: 75A19330 | NAME: RegCloseKey
  188. -------------------------------------------------------
  189. ---------------EX--------------------------------------
  190. Call from: E18A80 | API: 75A194B0 | NAME: RegQueryValueExA
  191. -------------------------------------------------------
  192. ---------------EX--------------------------------------
  193. Call from: E1EB91 | API: 770382D0 | NAME: Sleep
  194. -------------------------------------------------------
  195. ---------------EX--------------------------------------
  196. Call from: E21FB6 | API: 77048920 | NAME: CreateFileA
  197. -------------------------------------------------------
  198. ---------------EX--------------------------------------
  199. Call from: E21FC0 | API: 77048AF0 | NAME: GetFileSize
  200. -------------------------------------------------------
  201. ---------------EX--------------------------------------
  202. Call from: E21FCA | API: 77038B90 | NAME: VirtualAlloc
  203. -------------------------------------------------------
  204. ---------------EX--------------------------------------
  205. Call from: E21FD4 | API: 77048C00 | NAME: ReadFile
  206. -------------------------------------------------------
  207. ---------------EX--------------------------------------
  208. Call from: E21FDE | API: 77038B10 | NAME: GetVersionExA
  209. -------------------------------------------------------
  210. ---------------EX--------------------------------------
  211. Call from: E21FF2 | API: 7703A890 | NAME: GetSystemDirectoryA
  212. -------------------------------------------------------
  213. ---------------EX--------------------------------------
  214. Call from: E2202E | API: 770486F0 | NAME: CloseHandle
  215. -------------------------------------------------------
  216. ---------------EX--------------------------------------
  217. Call from: E30FB8 | API: 77032410 | NAME: IsBadReadPtr
  218. -------------------------------------------------------
  219. ---------------GPA---------------------------------
  220. Call from: E3306C | API: 7726D7B0 | NAME: NtOpenThread
  221. -------------------------------------------------------
  222. ---------------GPA---------------------------------
  223. Call from: E335A8 | API: 74802800 | NAME: timeGetTime
  224. -------------------------------------------------------
  225. ---------------EX--------------------------------------
  226. Call from: E573D8 | API: 770431B0 | NAME: Process32Next
  227. -------------------------------------------------------
  228. ---------------EX--------------------------------------
  229. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  230. -------------------------------------------------------
  231. ---------------EX--------------------------------------
  232. Call from: E3AFE9 | API: 77032410 | NAME: IsBadReadPtr
  233. -------------------------------------------------------
  234. ---------------GPA---------------------------------
  235. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  236. -------------------------------------------------------
  237. ---------------EX--------------------------------------
  238. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  239. -------------------------------------------------------
  240. ---------------GPA---------------------------------
  241. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  242. -------------------------------------------------------
  243. ---------------EX--------------------------------------
  244. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  245. -------------------------------------------------------
  246. ---------------GPA---------------------------------
  247. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  248. -------------------------------------------------------
  249. ---------------EX--------------------------------------
  250. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  251. -------------------------------------------------------
  252. ---------------GPA---------------------------------
  253. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  254. -------------------------------------------------------
  255. ---------------EX--------------------------------------
  256. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  257. -------------------------------------------------------
  258. ---------------GPA---------------------------------
  259. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  260. -------------------------------------------------------
  261. ---------------EX--------------------------------------
  262. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  263. -------------------------------------------------------
  264. ---------------GPA---------------------------------
  265. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  266. -------------------------------------------------------
  267. ---------------EX--------------------------------------
  268. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  269. -------------------------------------------------------
  270. ---------------GPA---------------------------------
  271. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  272. -------------------------------------------------------
  273. ---------------EX--------------------------------------
  274. Call from: E6068C | API: 7726C800 | NAME: ZwQueryInformationProcess
  275. -------------------------------------------------------
  276. ---------------EX--------------------------------------
  277. Call from: E62BF0 | API: 7726C740 | NAME: ZwSetInformationThread
  278. -------------------------------------------------------
  279.  
  280. #################### MW3 MEMORIES ####################
  281.  
  282. ---------------EX--------------------------------------
  283. Call from: DBF275 | API: 77038B90 | NAME: VirtualAlloc
  284. -------------------------------------------------------
  285. ---------------EX--------------------------------------
  286. Call from: DFCE9D | API: 77038F80 | NAME: LoadLibraryA
  287. -------------------------------------------------------
  288. ---------------EX--------------------------------------
  289. Call from: DFCEBB | API: 77038F80 | NAME: LoadLibraryA
  290. -------------------------------------------------------
  291. ---------------EX--------------------------------------
  292. Call from: DFCECF | API: 7703A940 | NAME: GetLocalTime
  293. -------------------------------------------------------
  294. ---------------EX--------------------------------------
  295. Call from: DFF09F | API: 758E75A0 | NAME: MessageBoxExA
  296. -------------------------------------------------------
  297. ---------------EX--------------------------------------
  298. Call from: E00CAE | API: 75A3C620 | NAME: RegCreateKeyA
  299. -------------------------------------------------------
  300. ---------------EX--------------------------------------
  301. Call from: E00CCD | API: 75A2E120 | NAME: RegFlushKey
  302. -------------------------------------------------------
  303. ---------------EX--------------------------------------
  304. Call from: E00CEC | API: 75A26FB0 | NAME: RegSetValueExA
  305. -------------------------------------------------------
  306. ---------------EX--------------------------------------
  307. Call from: E00D0B | API: 75A19330 | NAME: RegCloseKey
  308. -------------------------------------------------------
  309. ---------------EX--------------------------------------
  310. Call from: E00D2A | API: 75A194B0 | NAME: RegQueryValueExA
  311. -------------------------------------------------------
  312. ---------------EX--------------------------------------
  313. Call from: E00EAE | API: 77048920 | NAME: CreateFileA
  314. -------------------------------------------------------
  315. ---------------EX--------------------------------------
  316. Call from: E01F2E | API: 7703B5A0 | NAME: GetCommandLineA
  317. -------------------------------------------------------
  318. ---------------EX--------------------------------------
  319. Call from: E099B8 | API: 77048880 | NAME: SetEvent
  320. -------------------------------------------------------
  321. ---------------EX--------------------------------------
  322. Call from: E099D6 | API: 770488C0 | NAME: WaitForSingleObject
  323. -------------------------------------------------------
  324. ---------------EX--------------------------------------
  325. Call from: E099F4 | API: 77048740 | NAME: CreateEventA
  326. -------------------------------------------------------
  327. ---------------EX--------------------------------------
  328. Call from: E09A12 | API: 77038F80 | NAME: LoadLibraryA
  329. -------------------------------------------------------
  330. ---------------EX--------------------------------------
  331. Call from: E09A30 | API: 7703A790 | NAME: FreeLibrary
  332. -------------------------------------------------------
  333. ---------------EX--------------------------------------
  334. Call from: E09A4E | API: 77037B50 | NAME: GetProcAddress
  335. -------------------------------------------------------
  336. ---------------EX--------------------------------------
  337. Call from: E09A6C | API: 7703B2E0 | NAME: GetEnvironmentVariableA
  338. -------------------------------------------------------
  339. ---------------EX--------------------------------------
  340. Call from: E09A8A | API: 7589C850 | NAME: wsprintfA
  341. -------------------------------------------------------
  342. ---------------EX--------------------------------------
  343. Call from: E09AA8 | API: 7703B5B0 | NAME: GetVersion
  344. -------------------------------------------------------
  345. ---------------EX--------------------------------------
  346. Call from: E09AC6 | API: 77048920 | NAME: CreateFileA
  347. -------------------------------------------------------
  348. ---------------EX--------------------------------------
  349. Call from: E09AE4 | API: 77049850 | NAME: ExitProcess
  350. -------------------------------------------------------
  351. ---------------EX--------------------------------------
  352. Call from: E09B02 | API: 77038A50 | NAME: DeviceIoControl
  353. -------------------------------------------------------
  354. ---------------EX--------------------------------------
  355. Call from: E09B19 | API: 75A26BB0 | NAME: RegOpenKeyA
  356. -------------------------------------------------------
  357. ---------------EX--------------------------------------
  358. Call from: E09B37 | API: 770486F0 | NAME: CloseHandle
  359. -------------------------------------------------------
  360. ---------------EX--------------------------------------
  361. Call from: E09B55 | API: 77038F20 | NAME: VirtualFree
  362. -------------------------------------------------------
  363. ---------------EX--------------------------------------
  364. Call from: E09B73 | API: 770382D0 | NAME: Sleep
  365. -------------------------------------------------------
  366. ---------------EX--------------------------------------
  367. Call from: E07DEF | API: 77038B10 | NAME: GetVersionExA
  368. -------------------------------------------------------
  369. ---------------EX--------------------------------------
  370. Call from: E0B965 | API: 75A19330 | NAME: RegCloseKey
  371. -------------------------------------------------------
  372. ---------------EX--------------------------------------
  373. Call from: E0B9DF | API: 75A194B0 | NAME: RegQueryValueExA
  374. -------------------------------------------------------
  375. ---------------EX--------------------------------------
  376. Call from: E0F535 | API: 770382D0 | NAME: Sleep
  377. -------------------------------------------------------
  378. ---------------EX--------------------------------------
  379. Call from: E11D2B | API: 77048920 | NAME: CreateFileA
  380. -------------------------------------------------------
  381. ---------------EX--------------------------------------
  382. Call from: E11D35 | API: 77048AF0 | NAME: GetFileSize
  383. -------------------------------------------------------
  384. ---------------EX--------------------------------------
  385. Call from: E11D3F | API: 77038B90 | NAME: VirtualAlloc
  386. -------------------------------------------------------
  387. ---------------EX--------------------------------------
  388. Call from: E11D49 | API: 77048C00 | NAME: ReadFile
  389. -------------------------------------------------------
  390. ---------------EX--------------------------------------
  391. Call from: E11D53 | API: 77038B10 | NAME: GetVersionExA
  392. -------------------------------------------------------
  393. ---------------EX--------------------------------------
  394. Call from: E11D67 | API: 7703A890 | NAME: GetSystemDirectoryA
  395. -------------------------------------------------------
  396. ---------------EX--------------------------------------
  397. Call from: E11DA3 | API: 770486F0 | NAME: CloseHandle
  398. -------------------------------------------------------
  399. ---------------EX--------------------------------------
  400. Call from: E1FCD0 | API: 77032410 | NAME: IsBadReadPtr
  401. -------------------------------------------------------
  402. ---------------GPA---------------------------------
  403. Call from: E21EBA | API: 7726D7B0 | NAME: NtOpenThread
  404. -------------------------------------------------------
  405. ---------------GPA---------------------------------
  406. Call from: E224ED | API: 74802800 | NAME: timeGetTime
  407. -------------------------------------------------------
  408. ---------------EX--------------------------------------
  409. Call from: E46126 | API: 770431B0 | NAME: Process32Next
  410. -------------------------------------------------------
  411. ---------------EX--------------------------------------
  412. Call from: E47352 | API: 7726C800 | NAME: ZwQueryInformationProcess
  413. -------------------------------------------------------
  414. ---------------EX--------------------------------------
  415. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  416. -------------------------------------------------------
  417. ---------------EX--------------------------------------
  418. Call from: E28DD8 | API: 77032410 | NAME: IsBadReadPtr
  419. -------------------------------------------------------
  420. ---------------GPA---------------------------------
  421. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  422. -------------------------------------------------------
  423. ---------------EX--------------------------------------
  424. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  425. -------------------------------------------------------
  426. ---------------GPA---------------------------------
  427. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  428. -------------------------------------------------------
  429. ---------------EX--------------------------------------
  430. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  431. -------------------------------------------------------
  432. ---------------GPA---------------------------------
  433. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  434. -------------------------------------------------------
  435. ---------------EX--------------------------------------
  436. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  437. -------------------------------------------------------
  438. ---------------GPA---------------------------------
  439. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  440. -------------------------------------------------------
  441. ---------------EX--------------------------------------
  442. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  443. -------------------------------------------------------
  444. ---------------GPA---------------------------------
  445. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  446. -------------------------------------------------------
  447. ---------------EX--------------------------------------
  448. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  449. -------------------------------------------------------
  450. ---------------GPA---------------------------------
  451. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  452. -------------------------------------------------------
  453. ---------------EX--------------------------------------
  454. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  455. -------------------------------------------------------
  456. ---------------GPA---------------------------------
  457. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  458. -------------------------------------------------------
  459. ---------------EX--------------------------------------
  460. Call from: E51FB0 | API: 7726C740 | NAME: ZwSetInformationThread
  461. -------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!